As technology evolves, so do the security foundations that underpin the systems we rely on every day. One such foundational change is coming soon from Cisco Duo, the widely‑used multi‑factor authentication (MFA) platform that many organisations deploy to secure access to critical systems.

Although this change isn’t a vulnerability in the traditional sense, it could impact the availability of Duo authentication services for outdated software and integrations. In this post, we discuss what’s changing, why it’s happening, and what actions you should take.

A Certificate Authority (CA) is a trusted organisation that issues digital certificates used to verify identity and enable secure communication. A CA bundle is a collection of CA certificates that software uses to validate the authenticity of the services it connects to. Certificate pinning is a security mechanism where an application includes a hard‑coded list of trusted certificates.

When Duo clients, such as authentication proxies, SDKs, or agent software connect to Duo’s cloud services, they rely on a CA bundle included in the software to establish trust. If that bundle becomes outdated, communications can fail.

What’s happening and when?

Cisco Duo is replacing its root Certificate Authority bundle, resulting in two important deadlines:

• 2^nd February, 2026: Older clients may begin to experience authentication failures.
• 31^st March, 2026: Unsupported clients are expected to stop functioning entirely.

Why is Duo making this change?

This change is driven by typical security lifecycle management. Public Certificate Authorities and operating system vendors periodically retire or distrust older root certificates as policies evolve and cryptographic standards improve.

To be compliant with modern trust models and avoid future authentication failures, Duo must update its trusted CA bundle. This requires client-side updates where certificate pinning is used.

Which products are affected?

Any Duo component that embeds a pinned CA bundle must be updated. This may include:

• Duo Authentication Proxy
• Duo Desktop applications (Windows, macOS, Linux)
• SDKs and API client libraries
• Duo Network Gateway and supporting services

Further information and guidance on which products are affected and how you can identify what may have been deployed in your organisation can be found here.

Duo Mobile has already been updated to include the new CA bundle. In most environments, users with automatic app updates enabled should already be compliant with the changes.

Organisations that restrict mobile updates or manage devices centrally should verify that supported versions are deployed before February 2026.

Warning from Duo about older Android versions;

NOTE: If you have Android 8, 9, or 10 users who will side-load the special Duo Mobile 4.33.1 or 4.57.1 builds, DO NOT apply this policy to them, as they will receive the warning message suggesting they update the app. A suggestion for handling this would be to create a group in Duo with these unsupported Android version users, and then apply a user-group policy to that group that does not warn users to update the Duo Mobile app version.

What should you do to prepare for the changes?

To ensure a smooth transition ahead of Duo’s upcoming Certificate Authority changes, here’s a checklist of actions to complete before the February 2026 deadline:

• Inventory all Duo software and integrations
• Confirm installed versions against Duo’s minimum requirements
• Schedule upgrades ahead of February 2, 2026
• Test authentication workflows post-upgrade
• Communicate upcoming changes to users

Speak to our team to discuss your security priorities, and find out how we can help you assess the security of your applications and infrastructure. Our team provides penetration testing services across a broad range of technologies to help secure your organisation.